Risk Assessment
and
Risk Management
by
Prof. Dr. Atef M. A-Moneim
Director of Research Center for Database and
Programming Cairo University
Cairo
2005
Risk Assessment and Risk Management
ISBN 977-223-984-1
The role of our main partner, the Future Generation Foundation (FGF), during the
initial phase of implementation of the Pathways to Higher Education Project is also
acknowledged. The elaborate system of training they used in offering their Basic
Business Skills Acquisition (BBSA) program was inspiring in developing the
advanced training program under Pathways umbrella. This partnership with an NGO
reflected a truly successful model of coordination between CAPSCU and FGF, and its
continuity is mandatory in support of our young graduates interested in pursuing
research activities and/or finding better job opportunities.
The contribution of our partner, The National Council for Women (NCW), is
appreciated. It is worth mentioning that the percentage of females graduated from
Pathways programs has exceeded 50%, which is in line with FF and NCW general
objectives. The second phase of the project will witness a much more forceful
contribution from the NCW, particularly when implementing the program on the
governorates level as proposed by CAPSCU in a second phase of the program.
We also appreciate the efforts and collaborative attitude of all colleagues from Cairo
University, particularly the Faculties of Commerce, Art, Mass Communication, Law,
Economics and Political Sciences, and Engineering who contributed to the success of
this project.
Finally, thanks and appreciation are also extended to every member of the Center for
Advancement of Postgraduate Studies and Research in Engineering Sciences
(CAPSCU), Steering Committee members, trainers, supervisors and lecturers who
were carefully selected to oversee the successful implementation of this project, as
well as to all those who are contributing towards the accomplishment of the project
objectives.
Pathways Steering Committee Members
SN Member Name Title Institution
1 Dr. Ahmed Aboulwafa Professor and Chief of the Department of CU
Mohamed Public International Law, Faculty of Law
and Ex-Vice Dean for Postgraduate
Studies, Faculty of Law
2 Dr. Ahmed Farghally Professor of Accounting and Dean of the CU
Faculty of Commerce
3 Dr. Ali Abdel Rahman President of Cairo University CU
4 Dr. Bassma Kodmani Senior Program Officer, Governance and FF
International Cooperation, Ford
Foundation, Cairo Office
5 Dr. Fouad Khalaf Ex-Project Manager, Project Consultant CU
and Local Coordinator of TEMPUS Risk
Project
6 Dr. Hoda Rashad Professor and Director of Social Research NCW
Center, American University in Cairo
(AUC)
7 Dr. Kamel Ali Omran Professor of Human Resources and CU
Organizational Behavior, Business
Administration and Ex-Vice Dean for
Postgraduate Studies, Faculty of
Commerce
8 Dr. Mahmoud Fahmy Professor of Social Science and Ex-Vice CU
El Kourdy Dean for Students Affairs, Faculty of Arts
9 Mr. Moataz El-Alfy Vice Chairman of Future Generation FGF
Foundation
10 Mr. Mohamed Farouk Secretary General and Board Member, FGF
Hafeez Future Generation Foundation
11 Dr. Mohamed K. Bedewy Dean of the Faculty of Engineering and CAPSCU
Chairman of CAPSCU Board
12 Dr. Mohamed M. Megahed Director of CAPSCU CAPSCU
13 Dr. Mohsen Elmahdy Said Project Coordinator CU
14 Dr. Salwa Shaarawy Gomaa Professor of Public Policy and Ex-Director NCW
of Public Administration Research & & CU
Consultation Center (PARC), Faculty of
Economics Political Sciences
15 Dr. Sami El Sherif Vice Dean for Students Affairs, Faculty of CU
Mass Communication
16 Dr. Sayed Kaseb Project Manager CU
17 Dr. Zeinab Mahmoud Selim Professor of Statistics and Ex-Vice Dean CU
for Students Affairs, Faculty of Economics
and Political Sciences
CU Cairo University NCW National Council for Women
FF Ford Foundation FGF Future Generation Foundation
CAPSCU Center for Advancement of Postgraduate Studies and Research in
Engineering Sciences, Faculty of Engineering - Cairo University
Publisher Introduction
The Faculty of Engineering, Cairo University is a pioneer in the field of learning and
continual education and training. The Center for Advancement of Postgraduate Studies
and Research in Engineering Sciences, Faculty of Engineering - Cairo University
(CAPSCU) is one of the pillars of the scientific research centers in the Faculty of
Engineering. CAPSCU was established in 1974 in cooperation with UNIDO and
UNESCO organizations of the United Nations. Since 1984, CAPSCU has been
operating as a self-financed independent business unit within the overall goals of Cairo
University strategy to render its services toward development of society and
environment.
CAPSCU provides consultation services for public and private sectors and
governmental organizations. The center offers consultation on contractual basis in all
engineering disciplines. The expertise of the Faculty professors who represent the pool
of consultants to CAPSCU, is supported by the laboratories, computational facilities,
library and internet services to assist in conducting technical studies, research and
development work, industrial research, continuous education, on-the-job training,
feasibility studies, assessment of technical and financial projects, etc.
The partners of the project are Future Generation Foundation (FGF), National Council
for Women (NCW) and Faculties of Humanities and Social Sciences at Cairo
University. A steering committee that includes representatives of these organizations
has been formed. Its main tasks are to steer the project, develop project policies and
supervise the implementation process.
Pathways steering committee defined the basic skills needed to bridge the gap between
capabilities of fresh university graduates and requirements of society and scientific research.
These skills are: mental, communication, personal and social, and managerial and team work,
in addition to complementary knowledge. Consequently, specialized professors were assigned
to prepare and deliver training material aiming at developing the previous skills through three
main training programs:
1. Enhancement of Research Skills
2. Training of Trainers
3. Development of Leadership Skills
The activities and training programs offered by the project are numerous. These activities
include:
1. Developing training courses to improve graduates' skills
2. Holding general lectures for PHE trainees and the stakeholders
3. Conducting graduation projects towards the training programs
Believing in the importance of spreading science and knowledge, Pathways management team
would like to introduce this edition of the training material. The material is thoroughly
developed to meet the needs of trainees. There have been previous versions for these course
materials; each version was evaluated by trainees, trainers and Project team. The development
process of both style and content of the material is continuing while more courses are being
prepared.
To further enhance the achievement of the project goals, it is planned to dedicate complete
copies of PHE scientific publications to all the libraries of the Egyptian universities and
project partners in order to participate in institutional capacity building. Moreover, the
training materials will be available online on the PHE website, www.Pathways-Egypt.com.
In the coming phases, the partners and project management team plan to widen project scope
to cover graduates of all Egyptian universities. It is also planned that underprivileged
distinguished senior undergraduates will be included in the targeted trainees in order to enable
their speedy participation in development of society.
Finally, we would like to thank the authors and colleagues who exerted enormous efforts and
continuous work to publish this book. Special credit goes to Prof. Fouad Khalaf for playing a
major role in the development phases and initiation of this project. We greatly appreciate the
efforts of all members of the steering committee of the project.
References 31
C6/1: Risk Assessment & Risk Management Risk Definition
All projects have risks, and all risks are ultimately handled: 1). Some
Definition disappear, 2). some develop into problems that demand attention,
and 3). a few escalate into crises that destroy projects. The goal of
risk management is to ensure that risks never fall into the third
category.
If there is one risk that is universally the most dangerous for all
projects, it is the following:
The only way to mitigate this risk is to document all other risks,
identify the actions you take, and keep a management informed,
especially as the risk becomes more probable. It is only by
stressing your risk analysis, by making explicit recommendations, and
by insisting that management understand the risks that you can avoid
having to say, See, I told you so.
Common
Risks 1.2 Common Risks
Staff,
equipment, Table 1.1 lists common risks that most projects will encounter;
client, scope, They form a starting point for developing a catalog of risks. However,
technology, the list is not exhaustive; most project managers will find several more
delivery and
physical
risks that they can add, and project experience will tend to increase
this number. When you are assessing the risks for your projects,
always refer to a list such as this. Otherwise, you run the project
Staff Risks
Key staff will not be available when needed.
Key skill sets will not be available when needed.
Staff will be lost during the project.
Equipment Risks
Required equipment will not be delivered on time,
Access to hardware will be restricted.
Equipment will fail.
Client Risks
Client resources will not be made available as required.
Client staff will not reach decisions in a timely manner.
Deliverables will not be reviewed according to the schedule.
Knowledgeable client staff will be replaced by those less
qualified.
Scope Risks
Requirements for additional effort will surface.
Changes of scope will be deemed to be included in the
project.
Scope changes will be introduced without the knowledge of
project management.
Technology Risks
The technology will have technical or performance limitations
that endanger the project.
Technology components will not be easily integrated.
The technology is new and poorly understood.
Delivery Risks
System response time will not be adequate.
System capacity requirements will exceed available
capacity.
The system will fail to meet functional requirements
Physical Risks
The office will be damaged by fire, flood, or other
catastrophe.
A computer virus will infect the development system.
A team member will steal confidential material and make it
available to competitors of the client.
Categorizing
Risks
1.3 Categorizing Risks
To describe There are numerous statistical methods for defining degree of
the risk as risks, but the simplest categorization, and therefore the most
extreme, high, effective, is to describe risks as extreme, high, medium, low, or
low or minimal
minimal.
Consider two risks: that a team member will resign during the project
and that a fire will consume the office, destroying the installation and
all the work that has been done. Both risks are of medium degree. In
the first case, although the probability is high, the impact is low: You
assume that the team member will give adequate notice and can be
easily replaced. The second risk has a high in fact, potentially
devastating impact, but the probability is low and the risk is easily
mitigated by ensuring proper off-site backup.
You categorize risks so that you can identify those that are the
most dangerous and therefore require the most attention. It is
the extreme and high risks that need your attention first.
Impact
Probability
High Medium Low
High Extreme High Medium
Medium High Medium Low
Low Medium Low Minimal
By reducing its You mitigate a risk by reducing its probability, its impact, or
probability, its both. Since every project is unique, so are the mitigating actions.
impact or both However, some principles apply across projects and risks.
you have exact dates when the project will require client
resources. If you are not able to give an exact date now, give a
date by which you will be able to.
smuggled into the system. In other words, the rumor mill is a prime
course of information about emerging risks.
The key rule to using the rumor mill is, "Don't shoot the messenger."
No matter how painful the information, thank the deliverer; otherwise,
like the jilted spouse, you will be the last to know.
All team members must be aware of the risks that have been
identified and awake to situations that affect them. To keep risks
visible, devote part of each team meeting to a "risk review" in which
the risks are addressed one by one, and team members are
instructed to comment on any thing that affects each risk. The
purpose of the risk review is not to take action; it is to identify what
risks, if any, have changed. The risk review also uncovers new risks
as team members become attuned to dangerous situations.
Actions
2.1 Actions
Seek other, less expensive mitigation procedures that you can
use to reduce the risk to some extent.
Seek other, Document your reasons for categorizing the risks as you did.
less State the probability and describe the impact in graphic terms.
expensive Present your analysis to the steering committee and request the
mitigation resources you need to mitigate the risk.
procedures
that you can
use to Table 2.1: Risks management worksheet
reduce the
risk to some Risk Management Worksheet
extent. Project : _______________________ Date : ______
Short name of the risk :
If you are not given the resources you requested, alert your
management to the danger and ask if they can apply leverage to the
client.
You could be faced with a large number of high or extreme risks, all of
which require effort and action. You could also be led into mitigation
procedures that are excessive, expensive, and time-consuming.
Business
2.2.1 Business Risks
Risks
The majority of risks are business risks. That is true for any part of
the operation, but especially for projects. On a project, business risks
may include: response of the market to a product; inflation weather or
the performance of technology and resources. The manager's role is
to increase the chance of profit and reduce the chance of loss.
However, the expectation is that, on average; the risks will turn out
worse than better because although the likelihood of profit and loss
may be the same, the maximum, possible loss is very much greater
than the maximum profit. The weather may be kind as often as it is
unkind. However, bad weather can stop work completely or even
destroy previous work, but good weather seldom allows work to
proceed at double the normal pace.
Lead to loss Insurable risks lead to loss only, and are usually caused by
only and are external, unpredictable factors. These are called insurable. But it is
caused by not always possible to find a company to provide cover. For example,
external, war and civil disturbance are insurable risks, but are excluded from
unpredictable most policies. Insurable risks fall within four areas:
factors
Risk
2.3 Risk Management
Management
Risk management is the process by which the likelihood of risk
occurring or its impact on the project is reduced. It has five steps:
Where One way of classifying risk is by where control of the risk lies.
control of risk However, project managers must have the right mental attitude to
lies risk, and expect risks where they are least expected. In that way, they
will be better able to respond to risks as they occur. They must also
be aware that exposure to risk can vary throughout the project
management life cycle.
Classifying
Risks 2.3.2 Classifying Risks
Five There are five classifications of risk according to where control
classifications lies:
according to
where control
lies a) External Unpredictable: These are risks beyond the control of
managers or their organizations, and are totally unpredictable.
They can be listed, but we cannot say which will be encountered
on a given project. They arise from the action of government,
third parties, or acts of God or from failure to complete the
project due to external influences. Government or regulatory
intervention can relate to supply of raw materials or finished
goods, environmental requirements design or production
standards or pricing. Many projects have been killed by the
unexpected requirement to hold a public enquiry into
environmental impact. Whether a change of government at an
e) Legal: Legal risks fall under civil and criminal law. Risks under
civil law arise from contractual arrangements with clients,
contractors or third parties, or from licenses, patent rights
contractual failure or from force majeure (a unilateral claim by
one party to a contract). Risks under the criminal law are duties
imposed on both the owner and contractor. Under the Health
and Safety at Work Act 1974, all employers - not just in the
engineering industry - have a duty of care for their employees
and for the public. Therefore, project managers, their employers
(the contractors) and design teams can be held responsible if
The value of this attitude is that if you expect things to go wrong you
will be on your guard for problems, and will be able to respond quickly
to them. The failures may be ones you had predicted or ones you
least expect. If you anticipate problems, and plan appropriate
contingency, you will not be disrupted when those problems occur. If
the unexpected then also occurs, you will be able to focus your
management effort into the areas that might now cause greatest
disruption. This attitude of expecting risks and being ready to respond
is sometimes known as risk thinking. To some people it comes
naturally; others require structured, logical processes of risk
identification and analysis to support their response.
Variation of
Risk with 2.5 Variation of Risk with the Project
the Project Management Life Cycle
Management
Life Cycle
Like quality the impact of risk varies throughout the project
Like quality management life cycle. The later in the cycle risks occur, the more
the impact of expensive are their consequences, but to counteract that, the less
risk varies likely they are to occur. Risk can be reduced at the design stage by
throughout
the project
choosing a proven design rather than an untested one, or during the
management implementation stage by choosing proved methodologies. Whenever
life cycle. novelty is introduced the risk of failure grows throughout the life of the
project.
The Impact of
Risk
3.1 The Impact of Risk
The Impact of a risk factor depends on its likelihood of occurring and the
consequence if it does occur:
The Top-Down
The top-down approach can provide managers with checklist of
Approach potential risk factors based on previous experience and can help
them to determine each risk's relative importance. Furthermore, by
identifying the controlling relationships at a high level it enables
project managers to find ways of eliminating the most severe risks
from their projects.
1 2 3
Prepare site
-2 and foundation
0 3 3 3 2 6 5 2 7
Design building Erect steelwork
and foundation
0 0 3 3 2 5 5 0 7
Procure
steelwork
3 0 5
Now let us consider the risks. Let us assume that the project will start at
the beginning of September, after the summer vacation. The risks are
as follows:
1. The design of the building may take more or less than three
months. From previous experience, we may be able to say it will
take two, three or four months with the following probabilities:
19%
0.25*0.25 0.06*0.50
3%
0.06*0.50 0.03*0.75
2%
0.03*.035 1.0
1%
Working
No Working
On the face of it, this appears the same as the design. However, the
power of this top-down approach is you can decide what to do on
the day when you know how long the design has taken and how
you are progressing with the foundations. To understand this we
need to address the fourth risk.
The duration of this work will also depend on when it starts as with
preparing the site. However, what we can see is that if the design
work finishes at the end of October then it will be better to use the
more expensive supplier. There will then be a 50 percent chance
that erection can begin in December and finish in January without
any delay, or a 50 per cent chance that it will begin in January, in
which case it will finish in February with a 75 per cent chance. This
is of course dependent on the foundations being ready, and so if it
looks as though the steelwork design will be completed early then it
will be worthwhile fast tracking the foundations. On the other hand,
if the design takes four months, it would be better to use the
cheaper supplier and just plan to start erecting the steelwork in April
saving on extra cost of the foundations and on having erection
fitters standing idle.
This simple case shows that the top-down approach allows you to
analyze the interrelationships between elements of risk, and
management decisions based on that analysis and the actual out-turn.
Following a top-down approach, you are able to develop additional
detail in some areas. In the case above, for instance you could
introduce a lower level of work breakdown to find out how to fast track
the design of the foundations to reduce the risk. That requires the
design to be broken into smaller packages of work subject to strict
design parameters at the top level.
the logic given in Table 3.1. For this simple case, the critical path may
go through either A-B-D or A-C-D, and the duration can be anything
from 6 to II months. The likelihood that either or both of the routes will
be the critical path is:
80% 80%
60% 60%
40% 40%
20% 20%
6 7 8 9 10 11
outcome
outcome
Figure 3.4: Simple and cumulative probability distributions for the
duration of the project to build a warehouse
Communicating
the Risk - to the owners for them to assess its value,
Analysis
- to the champions, so they can give their support and
commitment to the project,
- to the project managers so that they can develop their project
strategies and perform what-if analyses,
- to the integrators, to enable them to manage the risks during
implementation,
- to people joining the project at a later time so they know what
assumptions have been made, and
- to the users so that they know the commitments they are
making.
Pym and Wideman use an analogy of a man being shot at. He can take
cover to avoid the bullets: he can deflect them using a shield or divert the
bullets by placing someone else in the firing line: or he can allow them to
hit him and plan to repair the damage.
Avoidance
4.1 Avoidance
The warehouse project above showed how to avoid the risk of
snow holding up the preparation of the foundations, by starting the work
early enough so that it is finished before the snow comes. Under
avoidance you change the plan for anyone of the five system
objectives or any combination of them to reduce the risk or
eliminate it entirely.
X+ X+
Payment
Payment
X X
Out-turn Out-turn
(a) Fixed price contract (b) Cost plus
X+
Payment
X X Payment
Out-turn Out-turn
(c) Cost reimbursable (d) Target price
line. The supplier may not need the business from the
contractor but may have a better respect for the owner.
4.3 Contingency
Contingency The third response to risk is to make an allowance for it by adding a
contingency. You can add an allowance to anyone of the five system
objectives, but typically there are two main approaches:
Controlling
Risk Having identified ways of reducing risk, you can implement a plan to
control the reduction. There are four basic steps in control:
- Draw up a plan
- Monitor progress against the plan
- Calculate variances
- Take action to overcome variances.
TRIMAGI COMMUNICATIONS BV
RISK MONITORING
MONTH
RANK
TRIMAGI COMMUNICATIONS BV
RISK ITEM TRACKING FORM PAGE 2 OF 2
CORRECTIVE ACTION PROPOSED/APPROVED
DESCRIPTION
RISK REDUCTION
COST
RESPONSIBLE UKEUHOOD LOW/MEDIUM/HIGH
MANAGER
REVISED DATE
4 5 10 22
9 10 15
C 22
F G
Start 2 9 1
A 1 4 10
5 7
16 End
4
0 4 J 5
1 D H 6 L
0
B 6 4 1 8
3 5
E 4 2 17
1 7 I K
7 15
1 7
15
Event 15
Activity
LL Latest time for event
t
Duration time
Remarks
Activity can not start before its beginning event does occur.
References
1. Hallows, J.E. (1998): Information Systems Project
References Management American Management Association, New York.
Project Web-site
www.Pathways-Egypt.com
32
33